Method for storing an object on a plurality of storage nodes

ABSTRACT

A method storing an object on a plurality of storage nodes includes encrypting an object to be stored with a key, computing one or more hash values for the object to be stored, storing the encrypted object on the plurality of storage nodes, providing storage location data for the stored object, and computing a transaction for a blockchain. Information can be encoded in the transaction. The encoded information can represent the storage location data and the computed one or more hash values and key data. The key data can include at least one of: (i) a copy of the key and (ii) a copy of a master secret from which the key was derived.

CROSS-REFERENCE TO PRIOR APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/756,599 filed on Mar. 1, 2018, which was a U.S. National Stage Entryunder 35 U.S.C. § 371 of International Application No. PCT/EP2015/070206filed on Sep. 4, 2015, both of which are hereby incorporated byreference herein. The International Application was published in Englishon Mar. 9, 2017 as WO 2017/036546 A1 under PCT Article 21(2).

FIELD

The present invention relates to a method for storing an object on aplurality of storage nodes, said method performed in a memory availableto one or more computing entities.

The present invention further relates to a method for retrieving astored object.

The present invention further relates to a system for storing an objectcomprising a plurality of storage nodes for storing said object, one ormore blockchain nodes for hosting a blockchain for transactions and oneor more user clients connected to said storage nodes and said blockchainnodes.

Even further the present invention relates to a non-transitory computerreadable medium storing a program causing a computer to execute a methodfor storing an object on a plurality of storing nodes.

Even further the present invention relates to a method, performed on aclient, for storing an object on a plurality of storage nodes.

Even further the present invention relates to a non-transitory computerreadable medium storing a program causing a computer to execute, on aclient, a method for storing an object in an object on a plurality ofstorage nodes.

Although applicable in general to any kind of secure distributedconsensus protocol enabling storing of information being replicatedacross a plurality of nodes, the present invention will be describedwith regard to blockchain as secure distributed consensus protocol.

BACKGROUND

Due to the increasing complexity of data-serving systems nowadays and anincreased criticality of stored data Byzantine-fault tolerance wasestablished as an alternative to crash-fault tolerance since a largespectrum of issues including simple outages, software bucks,misconfigurations and even intrusions can be grouped together under theterm “arbitrary failure” respectively “Byzantine failure”.

For example to implement a robust replicated data store, i.e.guaranteeing correctness under arbitrary failures, in the presence ofasynchrony, concurrency and failures, quorum based replication is used.In the non-patent literature of Jean-Philippe Martin, Lorenzo Alvisi,Michael Dahlin “Minimal Byzantine Storage, DISC 2002: 311-325”, it isshown that 3f+1 servers have to be used for Byzantine-fault toleranceoff arbitrary failures. To read a correct value, a quorum Qr, i.e. a setof servers Qr, queried by a read operation needs to intersect a quorumQw updated by a write operation in f+1 servers. That could guaranteethat there is at least one correct server in the intersection, since atmost f may be fail Byzantine. This translates to the followingrequirement:

|Qr|+|Qw|−n>=f+1, wherein n is the total number of servers to beused.  1)

Furthermore, to avoid indefinitely waiting for crashed servers during aread or a write operation the quorums of servers, Qr and Qw can compriseof at most n−f servers. Since at most f servers may be faulty, n−fservers are guaranteed to eventually reply. This translates to thefollowing requirement:

|Qr|=|Qw|<=n−f  2)

By combining the two requirements 1) and 2) this leads to:

2n−2f−n>=f+1=>n>=3f+1.

Therefore conventional systems use 3f+1 servers on Byzantinefault-tolerant storage.

For example, in the non-patent literature of Alysson Neves Bessani,Miguel P. Correia, Bruno Quaresma, Fernando André, Paulo Sousa: DepSky“Dependable and secure storage in a cloud-of-clouds”, EuroSys 2011:31-46, 3f+1 servers or clouds are used to tolerate the failure up to fservers using Byzantine quorum-based data replication.

In the further non-patent literature of Miguel Castro, Barbara Liskov“Practical byzantine fault tolerance and proactive recovery”, ACM Trans.Comput. Syst. 20(4): 398-461 (2002) and Dahlia Malkhi, Michael K. Reiter“Byzantine Quorum Systems”, Distributed Computing 11(4): 203-213 (1998)other conventional Byzantine fault tolerance systems are shown.

Since tolerating Byzantine faults requires f servers more than needed totolerate only crash failures, one of the problems of byzantinequorum-based data replication are the additional costs compared to crashtolerant systems. For example as shown in the non-patent literature ofRui Fan, Nancy A. Lynch “Efficient Replication of Large Data Objects”,DISC 2003: 75-91, 2f+1 servers are used to tolerate f crashes, yet nobyzantine faults can be tolerated.

Thus, Byzantine-fault tolerance protocols are still complicated andcostly to implement. As already mentioned conventional Byzantine-faulttolerance storage system require 3f+1 servers in order to tolerate any fByzantine nodes to ensure full consistency and is often required thatreaders contact multiple servers at a time in order to retrieve the mostupdated version of an object as for example as disclosed in thenon-patent literature of Elli Androulaki, Christian Cachin, Dan Dobre,Marko Vukolic, “Erasure-Coded Byzantine Storage with Separate Metadata”,in Proceedings of OPODIS 2014 and in the non-patent literature of DanDobre, Ghassan Karame, Wenting Li, Matthias Majuntke, Neeraj Sun, MarkoVukolic “PoWerStore: Proofs of Writing for Efficient and RobustStorage”, in Proceedings of the ACM Conference on Computer andCommunications Security (CCS), Berlin, Germany, 2013.

SUMMARY

In an embodiment, the present invention provides a method for storing anobject on a plurality of storage nodes. In a step a), an object to bestored is encrypted with a key. In a step b), one or more hash valuesare computed for the object to be stored. In a step c), the encryptedobject is stored on the plurality of storage nodes. In a step d),storage location data is provided for the stored object. In a step e), atransaction is computed for a blockchain, wherein information is encodedin the transaction, the encoded information representing the storagelocation data, the computed one or more hash values and key data,wherein the key data includes at least one of: (i) a copy of the key and(ii) a copy of a master secret from which the key was derived. In a stepf), the transaction is stored in the blockchain, wherein the key dataencoded into the blockchain transaction, including the at least one ofthe copy of the key and the copy of the master secret for deriving thekey, is encrypted.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be described in even greater detail belowbased on the exemplary figures. The invention is not limited to theexemplary embodiments. All features described and/or illustrated hereincan be used alone or combined in different combinations in embodimentsof the invention. The features and advantages of various embodiments ofthe present invention will become apparent by reading the followingdetailed description with reference to the attached drawings whichillustrate the following:

FIG. 1 shows steps at a method according to an embodiment of the presentinvention;

FIG. 2 shows a step of a method according to a further embodiment thepresent invention; and

FIG. 3 shows a step of a method according to a further embodiment of thepresent invention.

DETAILED DESCRIPTION

Improvements provided by embodiments of the invention include providinga Byzantine-fault tolerance storage system with minimum costs andmaximum efficiency.

In an embodiment the present invention provides a method for storing anobject on a plurality of storage nodes, said method performed in amemory available to one or more computing entities, said methodcomprising the steps of

-   a) Encrypting an object to be stored with a key,-   b) Computing one or more hash values for said object to be stored,-   c) Storing said encrypted object on a plurality of said storage    nodes,-   d) Providing storage location data for said stored object,-   e) Computing a transaction for a blockchain, wherein information is    encoded in said transaction, said encoded information representing    storage location data, said computed one or more hash values and key    data,-   f) Storing said transaction in a blockchain provided by one or more    blockchain nodes hosting said blockchain,-   g) Providing a number of confirmations for said transaction stored    in said blockchain by said blockchain nodes,-   h) Comparing said number of confirmations with a predefined    threshold confirmation number, wherein said predefined threshold    confirmation number is computed such, that with a pregiven certainty    the encoded information in said transaction stored in the blockchain    cannot be modified.

Said method may be performed in a memory available to one or morecomputing devices.

In a further embodiment the present invention provides a method forretrieving an object stored comprising the steps of

-   A) Searching for all transactions issued by a user in the    blockchain,-   B) Parsing found transactions to obtain the encoded information for    said object,-   C) Decrypting key data of the obtained encoded information,-   D) Computing a decryption key based on the decrypted key generation    data,-   E) Retrieving the object from a storage node, and-   F) Comparing a hash value of the retrieved object with the hash    value computed during storage of the object and upon matching    determining that the stored object has not be altered.

In a further embodiment the present invention provides a system forstoring an object comprising a plurality of storage nodes for storingsaid object, one or more blockchain nodes for hosting a blockchain fortransactions and one or more user clients connected to said storagenodes and said blockchain nodes, wherein

the client is adaptedto encrypt an object to be stored with a key,to compute one or more hash values for said object to be stored,to initiate storing said encrypted object on a plurality of said storagenodes,to compute a transaction for a blockchain, wherein information isencoded in said transaction,said encoded information representing storage location data, saidcomputed one or more hash values and key data, andto initiate storing said transaction in a blockchain provided by one ormore blockchain nodes hosting said blockchainto compare a received number of confirmations with a predefinedthreshold confirmation number, wherein said predefined thresholdconfirmation wherein said predefined threshold confirmation number iscomputed such, that with a pregiven certainty the encoded informationins said transaction and stored in the blockchain cannot be modified,said storage nodes being adaptedto provide storage location data for said stored object,said blockchain nodes being adaptedto store said transaction in a blockchain, provided by one or moreblockchain nodes hosting said blockchainto provide a number of confirmations for said transaction by saidblockchain.

In a further embodiment the present invention provides a non-transitorycomputer readable medium storing a program causing a computer to executea method for storing an object on a plurality of storage nodes, saidmethod comprising the steps of

-   -   a) Encrypting an object to be stored with a key,    -   b) Computing one or more hash values for said object to be        stored,    -   c) Storing said encrypted object on a plurality of said storage        nodes,    -   d) Providing storage location data for said stored object,    -   e) Computing a transaction for a blockchain, wherein information        is encoded in said transaction, said encoded information        representing storage location data, said computed one or more        hash values and key data,    -   f) Storing said transaction in a blockchain provided by one or        more blockchain nodes hosting said blockchain,    -   g) Providing a number of confirmations for said transaction        stored in said blockchain by said blockchain,    -   h) Comparing said number of confirmations with a predefined        threshold confirmation number, wherein said predefined threshold        confirmation number is computed such, that with a pregiven        certainty the encoded information in said transaction stored in        the blockchain cannot be modified.

In a further embodiment the present invention provides a method,performed on a client, for storing an object on a plurality of storagenodes, said method performed in a memory available to said client, saidmethod comprising the steps of

-   -   1) Encrypting an object to be stored with a key,    -   2) Computing one or more hash values for said object to be        stored,    -   3) Initiating storing said encrypted object on a plurality of        said storage nodes,    -   4) Receiving storage location data for said stored object,    -   5) Computing a transaction for a blockchain, wherein information        is encoded in said transaction, said encoded information        representing storage location data, said computed one or more        hash values and key data,    -   6) Initiating storing said transaction in a blockchain provided        by one or more blockchain nodes hosting said blockchain,    -   7) Receiving a number of confirmations for said transaction,    -   8) Comparing said number of confirmations with a predefined        threshold confirmation number, wherein said predefined threshold        confirmation number is computed such, that with a pregiven        certainty the encoded information in said transaction and stored        in the blockchain cannot be modified.

In a further embodiment the present invention provides a non-transitorycomputer readable medium storing a program causing a computer to executeon a client a method for storing an object on a plurality of storagenodes, said method comprising the steps of

-   -   1) Encrypting an object to be stored with a key,    -   2) Computing one or more hash values for said object to be        stored,    -   3) Initiating storing said encrypted object on a plurality of        said storage nodes,    -   4) Receiving storage location data for said stored object,    -   5) Computing a transaction for a blockchain, wherein information        is encoded in said transaction, said encoded information        representing storage location data, said computed one or more        hash values and key data,    -   6) Initiating storing said transaction in a blockchain provided        by one or more blockchain nodes hosting said blockchain,    -   7) Receiving a number of confirmations for said transaction,    -   8) Comparing said number of confirmations with a predefined        threshold confirmation number, wherein said predefined threshold        confirmation number is computed such, that with a pregiven        certainty the encoded information in said transaction and stored        in the blockchain cannot be modified.

At least one embodiment has the advantage that a robust and provablyauthenticated storage system and method is provided. Further at leastone embodiment of the present invention has the advantage that nometadata node is required and the storage system can resist up to n−1Byzantine storage nodes out of n storage nodes. At least one embodimenthas the advantage of enhancing the performance compared to conventionalByzantine fault tolerant storage systems. At least one embodiment hasthe advantage of requiring a smaller number of storage nodes andmetadata nodes.

The term “object” is to be understood, in particular in the claims,preferably in the description as any kind of information or data.

The term “blockchain” is to be understood, in particular in the claims,preferably in the description as a distributed database maintaining acontinuously growing list of data records that are hardened againsttampering and revision even by operators of the data storing nodeshosting database. A blockchain comprises for example two kinds ofrecords: so-called transactions and so-called blocks. Transactions maybe the actual data to be stored in the blockchain and blocks may berecords confirming when and in what sequence certain transactions becamejournaled as a part of the blockchain database. Transactions may becreated by participants and blocks may be created by users who may usespecialized software or equipment designed specifically to createblocks. The term “blockchain” is e.g. identical to the Bitcoinblockchain as a digital currency was introduced in 2008 and hasmeanwhile more adoption and attention than any other digital currency upto date. Currently Bitcoin is integrated across several businesses andhas several exchange markets.

In the last couple of years research concerning Bitcoin was focused onthe provisions of Bitcoin as digital currency as disclosed in thenon-patent literature of Ghassan Karame, Elli Androulaki, Srdjan Capkun,“Double-Spending Attacks on Fast Payments in Bitcoin”, in Proceedings ofthe ACM Conference on Computer and Communications Security (CCS),Chicago, Ill., USA, 2012.

Bitcoin is based on the so-called blockchain. This blockchain provides adistributed consensus scheme enabling transactions and any other data tobe securely stored and verified without any centralized authority. Anumber of applications have already been published. For instant recentstudies have shown that blockchain enables the construction of atime-dependent public randomness beacon as disclosed in the non-patentliterate of F. Armknecht, J. Bohli, G. O. Karame, Z. Liu, and C. A.Reuter, “Outsourced proofs of retrievability”, in Proceedings of the2014 ACM SIGSAC Conference on Computer and Communications Security,Scottsdale, Ariz., USA, Nov. 3-7, 2014, pages 831-843, 2014, outputting64 bits of minimal entropy every 10 minutes as disclosed in thenon-patent literature of Bitcoin as a public source of randomness,https://docs.google.com/presentation/d/1VWHm4Moza2znhXSOJ8FacfNK2B_vxnfbdZgC5EpeXFE/view?pli=1#slide=id.g3934beb89_034, 2014.

In Bitcoin uses execute payments by digitally signing the transactionsand are prevented from double-spending their coins, i.e. signing-overthe same coin to different users, through a distributed time-stampingservice. This service operates on top of the Bitcoin peer-to-peernetwork ensuring that all transactions and their order of execution areavailable to all Bitcoin users.

Transactions are basically formed by digitally signing a hash of theprevious transaction, where this coin was last spent along with a publickey of the future owner and incorporating this signature in the coin asdisclosed in the non-patent literature of Ghassan Karame, ElliAndroulaki, Srdjan Capkun, “Double-Spending Attacks on Fast Payments inBitcoin”, in Proceedings of the ACM Conference on Computer andCommunications Security (CCS), Chicago, Ill., USA, 2012.

Any peer can verify the authenticity of a Bitcoin by checking the chainof signatures. Transactions may optionally include a text field whichcan be used to a text to transactions. Alternatively text can be addedin form of invalid public keys. That means instead of specifying a validpublic key, one can encode text and include the encoded text in thisfield. Bitcoin enables multi-output transactions and multi-signaturetransactions, thus enabling large text fields in place of multiplepublic keys.

The term “node” is to be understood in its broadest sense, preferably inthe claims, in particular in the description and indicates any kind ofcomputing device or computing entity, computer or the like.

The term “storage location data” is to be understood in its broadestsense, and refers in particular in the claims, preferably in thedescription to any kind of information or data which enables to find thelocation(s) of a stored object on a node, server or the like.

The term “key data” is to be understood in its broadest sense and refersin particular in the claims, preferably in the description to any kindof data which comprises information of, about or being related toencryption and/or decryption keys, master secrets, master secret keys orthe like.

The term “confirmation” refers in particular in the claims, preferablyin the description to any kind of data or information, indicatingacknowledging or confirming correct storage, e.g. in the blockchain.

The term “threshold number” is to be understood as a natural numberincluding zero.

The term “computing device” or “computing entity”, etc. refers inparticular in the claims, preferably in the description to a deviceadapted to perform computing like a personal computer, a tablet, amobile phone, a server, or the like and may comprise one or moreprocessors having one or more cores and may be connectable to a memoryfor storing an application which is adapted to perform correspondingsteps of one or more of the embodiments of the present invention. Anyapplication may be software based and/or hardware based installed in thememory on which the processor(s) can work on. The computing devices orcomputing entities may be adapted in such a way that the correspondingsteps to be computed are performed in an optimized way. For instancedifferent steps may be performed in parallel with a single processor ondifferent of its cores.

The term “computer readable medium” may refer to any kind of medium,which can be used together with a computation device or computer and onwhich information can be stored. Said information may be any kind ofdata e.g. instructions, commands or the like which can be read into amemory of a computer and may be executed by said computer. For examplesaid information may include program code for executing with saidcomputer. Examples of a computer readable medium are tapes, CD-ROMs,DVD-ROMs, DVD-RAMs, DVD-RWs, BluRay, DAT, MiniDisk, solid state disksSSD, floppy disks, SD-cards, CF-cards, memory-sticks, USB-sticks, EPROM,EEPROM or the like.

Further features, advantages and further embodiments are described ormay become apparent in the following:

The key for encryption may be generated and based on a precomputedmaster secret. A master secret enables for example in an easy way toconstruct a decryption key.

Encryption of step a) may be performed semantically secure. Thisenhances the security since an attacker can not draw conclusions aboutthe contents of a ciphertext except the length of the ciphertext.

Key data may include said precomputed master secret and/or theencryption key itself, wherein said key data may be secured with apassphrase. This enables an efficient construction of a decryption and alater download of the stored object.

An information dispersal algorithm may be used on the encrypted objectto be stored resulting in a first number of chunks such that theencrypted object can be reconstructed from a second number of chunks,said second number being smaller than said first number, wherein in stepc) the hash values for the first number of chunks is computed andsubsequently used for steps d)-h). This enables an erasure-codedstorage: A user then may erasure code the encrypted object by using saidinformational dispersal algorithm so that any m chunks out of the nerasure coded chunks are enough to construct the encrypted object. Theuser then may compute the individual hashes of each chunk. After storingthe m chunks on n storage servers the user may then store the followinginformation in the blockchain: E(S) II G1, . . . , Pn II H1, . . . , Hnwherein P1, . . . , Pn indicate pointers, pointing to the location ofthe encrypted object and E(S) denotes an encrypted master secret. Thisprovides security even when n-m storage nodes are arbitrarily Byzantineand when a large fraction, for example of Bitcoin nodes is arbitrarilyByzantine. A user can also directly detect said Byzantine storage nodes.

A public/private key pair may be provided for a user of a plurality ofusers, wherein each public key maps to a Bitcoin address and wherein amaster key which is used for encryption or an object, is preshared amongsaid plurality of users. This enables an authenticated storage:Authenticated storage refers to a storage system where each entity canprove to another that it has stored a given object. Applications forsuch authenticated storage are for example court documents, which needto be proven that they are stored by a given entity, any modificationsto legal documents, etc. In detail: To provide said authenticatedstorage the plurality of users each having a public/private key pair.Each public key maps to a Bitcoin address. Whenever a user wants tocommit a change to a given document then the user may perform thefollowing steps, under the assumption that all these users havepreshared a master key K1. Prior to storing a version change of object Oon the servers, a user encrypts the object O with the preshared masterkey K1 Enc(K1, O) denoting a semantic secure encryption of object Ounder key K1. The user then proceeds to store object O according tosteps a)-h) since users are authenticated—each user is authenticatedwith each transaction he makes—users can prove to others that theypreformed a given modification to a given object like a document, etc.

Said encryption key and/or master secret used for generating theencryption key may be encrypted and stored in said blockchain. Thisprovides a perpetual storage for encryption keys: The blockchain is usedas inherent storage for keys since they are small in size and they willbe stored and replicated usually across millions of blockchain nodes.This has the advantage that keys are unlikely to be lost and due to theblockchain inherent features these keys can never be modified.

The object to be stored may be a group encryption key defined for agroup of users. This allows to provide a public bulletin board: A groupkey can be derived by a plurality of users using the blockchain ascommitted and authenticated communication medium.

The method for retrieving an object may comprise the step G) of uponmatching, decrypting the retrieved object using the computed decryptionkey. This enables to provide the object in clear text when certainty isgiven, that the object has not been modified.

The storage node in step E) may be selected randomly. This enables in aneasy and efficient way to download the object from one of the storagenodes.

FIG. 1 shows steps of a method according to an embodiment of the presentinvention.

In FIG. 1 some steps for providing a dependable and robust storage isshown where a user performs in detail the following steps, assuming nstorage nodes SN, for example cloud servers, out of which n−1 storagenodes SN can be arbitrarily Byzantine.

-   1. Prior to storing the object O on the storage nodes SN, the user U    computes a master secret S, and a key K=H(S∥“Encryption key”).-   2. The user then computes Enc(K,O), which denotes the semantic    secure encryption of object O under key K.-   3. The user U then stores the encrypted object Enc(K,O) redundantly    on the n storage nodes SN and acquires n pointers P1, . . . Pn which    point to the location of the encrypted object on each of the n    storage nodes, respectively.-   4. The user encrypts master secret S using a passphrase of this    choice. The resulting encryption is denoted as E(S). The user U then    encodes the following information in a transaction to be confirmed    in the blockchain: E(S)∥P1 . . . Pn∥(Enc(K,O)), where H(.) is a hash    function.-   5. Once the transaction acquires enough confirmation in the    blockchain (e.g. six confirmations are enough), the user U is    certain that the metadata information i.e. the encoded information    in the blockchain can never be modified by any entity.-   6. To retrieve the information, the user's client searches for all    transactions issued by the user U in the blockchain and parses the    transactions in order to acquire E(S)∥P1 . . . Pn∥H(Enc(K,O)).-   7. The user U decrypts S, constructs K, and downloads O from a    storage node SN location e.g. picked at random. If the hash of the    downloaded object matches H(Enc(K,O)), then the file has not been    modified.-   8. The user U then decrypts the file using K.

To summarize: In a first step S1 a user U encrypts the object O andcomputes a corresponding hash value. In a second step S2 the encryptedobject is stored on the storage nodes SN and a transaction is issued ina third step S3 comprising a hash, storage pointers and encryption keyswherein said transaction is transmitted to the blockchain BC forconfirmation.

Authentication is not needed here but is implicit since nobody can issuea transaction on behalf of the user due to the underlying structure: Forexample in Bitcoin the issue of a transaction is the only entity who cansign the ownership of a given coin.

The method shown is secure even if n−1 storage nodes N are arbitrarilyByzantine and when a large fraction of blockchain nodes, for exampleBitcoin nodes is arbitrarily Byzantine as well as for example disclosedin the non-patent literature of Arthur Gervais, Hubert Ritzdorf, GhassanO. Karame, HYPERLINK “http://dblp.uni-trier.de/pers/hd/c/Capkun:Srdjan”Srdjan Capkun, IACR Cryptology ePrint Archive 2015: 578 (2015). The usercan directly detect Byzantine storage SN.

In another embodiment erasure coded storage is provided, the method forstorage is very similar to the aforementioned method with the followingdifferences:

The user erasure-codes Enc(K,O) using an information dispersal algorithm(IDA) so that any m chunks out of the n erasure codes are enough toconstruct O. The user computes the individual hash of each chunk H1, . .. , Hn. After storing the chunks on the n storage servers, the user thenstores the following information in the blockchain:

E(S)∥P1 . . . Pn∥H1 . . . Hn

This scheme is secure even when n-m storage nodes are arbitrarilyByzantine, and when a large fraction of Bitcoin nodes is arbitrarilyByzantine as disclosed in the non-patent literature of Arthur Gervais,Hubert Ritzdorf, Ghassan O. Karame, Srdjan Capkun, IACR CryptologyePrint Archive 2015: 578 (2015). The user can directly detect Byzantinestorage nodes.

In another embodiment, aforementioned robust storage can be adapted toprovide an authenticated storage. Authenticated storage refers to astorage system where each entity can prove to another that it had storeda given object. Typical examples are court documents which for exampleneed to be proven that they are stored by a given entity, anymodifications to legal documents, etc.

To construct an authenticated storage, a setting comprising of m usersis assumed, each having a public/private key pair. Each public key mapsto a Bitcoin address. Whenever the user wants to commit a change to agiven document, then the user performs the following operations assumingthat all these users pre-share a master key K1.

Prior to storing version change O on the servers, the user computesEnc(K1,O), which denotes the semantic secure encryption of object Ounder key K1. The user then proceeds to store O using the methodsdescribed in the aforementioned embodiment.

Since users are authenticated (each user is authenticated with eachtransaction he makes), users can prove to others that they performed agiven modification to a given document.

In a further embodiment a perpetual storage for encryption keys can beprovided using the blockchain providing effective means to securelystore encryption keys. Techniques range from hardware tokens to paper QRkeys, to trusted computing, applications specific to storing keys, etc.

An inherent storage for keys using said blockchain is enabled since theyare small in size and they will be stored replicated across millions ofnodes. That is, these keys are unlikely to be lost. Moreover, due to theblockchain nature, these keys can never be modified.

As described above, encryption keys can be encrypted with a passphraseand stored in the blockchain in encrypted form. Alternatively, only amaster key can be stored and encrypted in the blockchain and theremaining keys can be derived from the master key.

In a further embodiment a public bulletin board is provided. A group keycan be derived by n users by leveraging the blockchain as a committedand authenticated communication medium.

In a further embodiment the present invention provides a methodcomprising the steps of

-   1. Encrypting object with a key and storing the encrypted object on    storage nodes.-   2. Computing the encrypted object hash, and the storage pointers,    and encrypting the encryption key with a passphrase.-   3. Issuing a transaction where the outputs and/or the multi-sig    fields encode the hash, URI pointers and encrypted key.-   4. Waiting till the issued transaction is confirmed and permanently    stored in the blockchain.-   5. To retrieve the object, the user first fetches the issued    transaction (by searching over the issuer's address field), acquires    the storage pointers, then uses those to fetch the object from the    storage node, then checks the object hash, and if the verification    passes, the user decrypts the object using the key.

FIG. 2 shows steps of a method according to a further embodiment of thepresent invention.

In FIG. 2 steps of a method for storing an object on a plurality ofstorage nodes are shown said method performed in a memory available toone or more computing entities, said method comprising the steps of

-   a) Encrypting an object to be stored with a key,-   b) Computing one or more hash values for said object to be stored,-   c) Storing said encrypted object on a plurality of said storage    nodes,-   d) Providing storage location data for said stored object,-   e) Computing a transaction for a blockchain, wherein information is    encoded in said transaction, said encoded information representing    storage location data, said computed one or more hash values and key    data,-   f) Storing said transaction in a blockchain provided by one or more    blockchain nodes hosting said blockchain,-   g) Providing a number of confirmations for said transaction by said    blockchain,-   h) Comparing said number of confirmations with a predefined    threshold confirmation number, wherein said predefined threshold    confirmation number is computed such, that with a pregiven certainty    the encoded information in said transaction and stored in the    blockchain cannot be modified.

FIG. 3 shows steps of a method according to a further embodiment of thepresent invention.

In FIG. 3 steps of a method for retrieving an object stored according toan embodiment of the present invention, comprising the steps of

-   A) searching for all transactions issued by a user in the    blockchain,-   B) parsing found transactions to obtain the encoded information for    said object,-   C) Decrypting key generation data,-   D) Computing a decryption key based on the decrypted key generation    data,-   E) Retrieving the object from a storage node, and-   F) Comparing the hash value of the retrieved object with the hash    value computed during storage of the object and upon matching    determining that the stored object has not be altered.

The present invention enables storing of metadata in unused transactionoutputs and/or unused signature fields in the blockchain in order to

-   -   construct a durable reliable robust and Byzantine resilient        storage,    -   an authenticated storage system, wherein each entity can prove        that it committed changes in a document and wherein the order        and timestamp of the changes can be securely kept and recorded        in spite of malicious entities, and    -   an efficient perpetual storage for encryption keys.

Embodiments of the present invention may have the advantage of providinga robust and provably authenticated storage system not requiring anymetadata node and further which can resist up to n−1 Byzantine storagenodes. Embodiments of the present invention further may have theadvantage of considerably enhancing the performance compared toconventional Byzantine fault tolerance storage systems or methodsrequiring considerably the smaller number of storage and metadata nodes.

Many modifications and other embodiments of the invention set forthherein will come to mind to the one skilled in the art to which theinvention pertains having the benefit of the teachings presented in theforegoing description and the associated drawings. Therefore, it is tobe understood that the invention is not to be limited to the specificembodiments disclosed and that modifications and other embodiments areintended to be included within the scope of the appended claims.Although specific terms are employed herein, they are used in a genericand descriptive sense only and not for purposes of limitation.

While the invention has been illustrated and described in detail in thedrawings and foregoing description, such illustration and descriptionare to be considered illustrative or exemplary and not restrictive. Itwill be understood that changes and modifications may be made by thoseof ordinary skill within the scope of the following claims. Inparticular, the present invention covers further embodiments with anycombination of features from different embodiments described above andbelow. Additionally, statements made herein characterizing the inventionrefer to an embodiment of the invention and not necessarily allembodiments.

The terms used in the claims should be construed to have the broadestreasonable interpretation consistent with the foregoing description. Forexample, the use of the article “a” or “the” in introducing an elementshould not be interpreted as being exclusive of a plurality of elements.Likewise, the recitation of “or” should be interpreted as beinginclusive, such that the recitation of “A or B” is not exclusive of “Aand B,” unless it is clear from the context or the foregoing descriptionthat only one of A and B is intended. Further, the recitation of “atleast one of A, B and C” should be interpreted as one or more of a groupof elements consisting of A, B and C, and should not be interpreted asrequiring at least one of each of the listed elements A, B and C,regardless of whether A, B and C are related as categories or otherwise.Moreover, the recitation of “A, B and/or C” or “at least one of A, B orC” should be interpreted as including any singular entity from thelisted elements, e.g., A, any subset from the listed elements, e.g., Aand B, or the entire list of elements A, B and C.

What is claimed is:
 1. A method for storing an object on a plurality of storage nodes, the method comprising: a) encrypting an object to be stored with a key, b) computing one or more hash values for the object to be stored, c) storing the encrypted object on the plurality of storage nodes, d) providing storage location data for the stored object, e) computing a transaction for a blockchain, wherein information is encoded in the transaction, the encoded information representing the storage location data, the computed one or more hash values and key data, wherein the key data includes at least one of: (i) a copy of the key and (ii) a copy of a master secret from which the key was derived, and f) storing the transaction in the blockchain, wherein the key data encoded into the blockchain transaction, including the at least one of the copy of the key and the copy of the master secret for deriving the key, is encrypted.
 2. The method of claim 1, wherein the key data in the blockchain transaction includes the copy of the key, which is encrypted.
 3. The method of claim 1, further comprising: retrieving the object from one or more of the storage nodes; comparing a hash value of the retrieved object with the hash value computed during storage of the object and, based on the hash values matching, determining that the stored object has not been altered.
 4. The method of claim 1, further comprising: providing a number of confirmations for the transaction stored in the blockchain by the blockchain nodes, and comparing the number of confirmations with a predefined threshold confirmation number, wherein the predefined threshold confirmation number is computed such that with a pregiven certainty the encoded information in the transaction stored in the blockchain cannot be modified.
 5. The method of claim 1, wherein the key data includes the copy of the master secret, which is encrypted.
 6. The method of claim 1, wherein an information dispersal algorithm is used on the encrypted object to be stored resulting in a first number of chunks, such that the encrypted object is reconstructable from a second number of chunks, the second number of chunks being smaller than the first number of chunks, and wherein in step c) then the hash values for the first number of chunks is computed and subsequently used.
 7. The method according to claim 1, wherein a public/private key pair is provided for each user of a plurality of users, wherein each public key maps to a blockchain address, and wherein a master key which is used for encryption of an object is preshared among the plurality of users.
 8. The method of claim 1, wherein the object is a group encryption key defined for a group of users.
 9. A processing system comprising one or more processors configured to perform the method of claim
 1. 10. A processing system comprising one or more processors configured to: a) encrypt an object to be stored with a key, b) compute one or more hash values for the object to be stored, c) store the encrypted object on a plurality of storage nodes, d) provide storage location data for the stored object, e) compute a transaction for a blockchain, wherein information is encoded in the transaction, the encoded information representing the storage location data, the computed one or more hash values and key data, wherein the key data includes at least one of: (i) a copy of the key and (ii) a copy of a master secret from which the key was derived, wherein the key data encoded into the blockchain transaction, including the at least one of the copy of the key and the copy of the master secret for deriving the key, is encrypted, and f) store the transaction in the blockchain,
 11. The system of claim 10, wherein the one or more processors are configured such that the key data in the blockchain transaction includes the copy of the key, which is encrypted.
 12. The system of claim 10, wherein the one or more processors are configured to: retrieve the object from one or more of the storage nodes; compare a hash value of the retrieved object with the hash value computed during storage of the object and, based on the hash values matching, determining that the stored object has not been altered.
 13. The system of claim 10, wherein the one or more processors are configured to: receive a number of confirmations for the transaction stored in the blockchain by the blockchain nodes, and compare the number of confirmations with a predefined threshold confirmation number, wherein the predefined threshold confirmation number is computed such that with a pregiven certainty the encoded information in the transaction stored in the blockchain cannot be modified.
 14. The system of claim 10, wherein the one or more processors are configured such that the key data includes the copy of the master secret, which is encrypted.
 15. A non-transitory computer-readable medium comprising program code for configuring a processing system comprising one or more processors to perform the method of claim
 1. 